BILLS DRUGS RISK REGISTER

Risk Description Source Likelihood of Occurrence* Severity of Impact* Controllability*
Inability to receive merchandise from suppliers in china.
* Global risk A large portion of our generic pharmaceuticals and merchandise are manufactured in china. Any Trade embargos or military involvement would make those resources unavailable and cause a severe merchandise shortage. This will impact sales and profits. China has been aggressive posturing and advancing its military interests. if this trend continues this could lead to trade embargos and/or military involvement. Medium - China has slowly building up to the current level of posturing. At this time it is unknown how far they will go. High - The companies main source of income is the sale of goods. If Bills Drugs is unable to resupply, financial loss will follow. low - We cannot effect the outcome of this potential event. We can only attempt to mitigate it's effects.
HIPAA Data exfiltration by attack of the company network. The company network has been compromised and Health Insurance Portability and Accountability Act data has been exposed. A hacker successfully attacked the company network. Using A combination of social engineering, and the exploitation of un-patched servers was able to penetrate the corporate network. Medium - Our information security measures have discouraged or stopped many attacks. Given the sheer volume of potential attackers and attacks, no network is 100% secure. High -There will be fines and we will need to prove that we have been diligent in the protection of this data. Also there will be the damage to our public image that will need to be addressed. Medium - Through proper application of security controls and continuous monitoring we can lessen the likely hood of this event.
A pharmacy gives a customer incorrect prescription medicines. a pharmacy has dispensed the incorrect medicine to a customer. Through some form of human error such as inattention to detail or possibly distraction is the cause of this. A pharmacy team provided incorrect pharmaceuticals to a customer. Medium. - given the sheer volume of prescriptions filled and long hours worked. this happens from time to time. Medium - depending on many factors, this could be as simple as a customer returning the incorrect product. Also errors like this could lead to customer fatalities . There may be fines involved depending on the pharmaceuticals involved . There will be some form of damage to our public image because of incompetence. Litigation against the corporation as well as the individual pharmacist are also a possibility. High -
By the insertion of more checks into the currently existing procedures this risk can be controlled. The enforcement of standards and procedures can further control the likelihood of this risk occurring.
A robbery at a Bill's Drug location. A Bills Drugs has been robbed. all cash in the store has been taken. Both violent and non-violet robber y on the rise. Any business that has cash on hand is a potential target. Medium - if a location has cash on hand there is the potential for robbery. while specific locations are more likely than others the aggregate is a medium severity. Medium – as long as no destruction of property or loss of life is incurred. While there is a financial loss, a public image issue is also incurred. The image that we are easy targets is potentially there, this could lead to greater frequency of robbery. Medium – With good security and systems in place a location becomes less attractive as a target. A less attractive target can mean the difference between being a victim and being bypassed by a criminal.
Economic recession Due Economic recession the customer base is spending less A significant decline in economic activity lasting for an extended period. Many sources define the period as being at least several months in length. High -
Economic recessions happen periodically, and they will continue do so. Given that, there is a high probability that this risk will be realized. High - losses in profits will be realized.
There will be less revenue generated from all streams and the cost of products will go up. low - we cannot control the factors that cause this event. All that can be done is to attempt to mitigate the effects on the company.
Power outage at store with expected duration of less than one hour. Power outage on the local grid. After contact with local power provider the duration is to be one hour or less. Power outage on the local grid with a variety of potential causes, transformer failure, lightning, or wind to name a few possible causes. low - while this event is unpredictable, on average these events happen at least twice a year at our stores. it should be noted that this number is an average. The individual number could be substantially higher or lower based on the areas infrastructure. low - if there is no power at the store, shoppers cannot be allowed in for liability reason. customers already inside will not be allowed to complete their purchases, Without power the point of sales systems will not work, and only emergency lighting will be available.

med - with a backup power supply this can be a completely controlled customers in the store can complete their purchases and leave the store safely.
Loss of customer prescription data due to localized IT failure Loss of customer prescription data due to Hard drive/ computer failure at the store level. Failure of computer hardware/ software High – all hardware fails over time. Medium -
All store pharmacy at the effected site will be inaccessible. Prescriptions cannot be filled, also there will be damage to customer satisfaction and public image. High – data can be backed-up locally and off site.
Work related back injury (store level) A staff member injures back during the unloading of a delivery and or restocking functions. Staff member suffered back injury stemming from improper lifting technique and not using hand truck to move heavy and/or bulky objects. Low - this doesn't happen often, most of our merchandise arrive in manageable packaging. Low - from a store point of view the store is only one staff member down, workman's compensation, liability insurances come into play. Medium - unloading of truck is a part of the stocking function in our stores. Precautions such as hand trucks and proper training can be utilized to manage this risk.

*High, medium or low designation for these three columns.

RISK RESPONSE: The discussion below should focus on how the company will respond if the risks occur. This discussion could also be included as a column in the risk register.
1. Risk Response One - Inability to receive merchandise from suppliers in china. * Global risk*

locating manufactures in other regions that can supply required products can mitigate the effects of having that source of goods removed. Mexico, South America, Eastern Europe and Cuba appear to be good areas to look to find manufacturing facilities to supply cost effective products. These manufactures should be contractually obligated to uphold the same standards held by the current suppliers. It would be advisable to avoid any more suppliers in Asia until this current issue stabilizes. there are some exploitable risks that should also be addressed. First, if we start increasing our suppliers outside of china and no longer are receive Chinese goods, we may be able enhance our public image releasing that we have purposely left our Chinese manufacturers because of out disenchantment with china's current policies. Second, if conflict seems imminent, we may be able to increase our sales of emergency kits (both in store and online). Especially, If we include Potassium iodide and Zofran, in some circles these are touted as anti radiation drugs. In reality, one will prevent thyroid cancer due to radiation exposure, the other prevents nausea from radiation exposure. We can package them as an added bonus to our existing kits at no added cost. Lastly there is the possibility that we may be able to successfully win contracts with one or more branches of the military for basic products. To this end sales and marketing personal should be reaching out to various branches of the military and government to keep up to date on all contracts that are open or opening for bid.

2. Risk Response Two - HIPAA data exfiltration by attack of the company network.

Once a data breach has been discovered, the investigation and remediation phase will begin. From the information security point of view, this is incident response. In the incident response the following steps will occur; Identification, Containment, Eradication, Recovery, and Lessons Learned. More on the Incident Response plan is located in the procedural document "Incident Response Plan". Depending on the specialties required, outside venders may be brought in to supplement the security staff. After the investigation and remediation phase has completed , communication to stake holders, proper external agencies, affected customer, and the general public should begin. The findings of the investigation and remediation phase should be reviewed and recommendations acted upon. Verify that corrections been made to prevent re-infection. Also a yearly cycle of independent security audits and penetration tests should be initiated to validate the current state of the network. This should will be viewed as a preventative measure against future events and the provide a cost saving when compared to the overall cost of the breach.

3. Risk Response Three - A pharmacy gives a customer incorrect prescription medicines.

Safeguards will be put in place to prevent further occurrences of this issue. The first of those will be the purchase of prescription filling software/ automated counting devices. One that not only shows examples of the product that should be dispensed but also scans the barcodes of all items involved. Packages like HBS Pharmacy Software, PioneerRX, and Winpharm are some of the leaders in the field and should be considered for immediate adoption. This will need to be adopted in all location to provide uniformity across the corporation. New workflows will need to be implemented and followed with an emphasis on customer care not volume. The newly implemented workflow should incorporate rechecking of orders done by another person (an accuracy checking role), or at the very least delayed self-checking rather than immediate self-checking. Also in the workflow there should be clearly assigned duties to the staff. With the workflow implemented mandatory breaks can be scheduled, which should reduce stress and fatigue the may cause filling errors. Due to size constraints in the pharmacies not all of the recommendations that follow, may be able to be implemented, exceptions will be granted on a case by case basis. All pharmacies should have a large clutter free work space for the staff to work from. The pharmacies work area should be a distraction free zone, and staff working with pharmaceuticals should not be interrupted. Pharmacy staff working with pharmaceuticals should not performing multiple roles (cashier, cleaner, or answering the phone ). lastly drugs with similar names or appearance should not be stored near each other, in the near future a guidance document will be issued outlining mandatory drug separations.

4. Risk Response Four - A robbery at a Bill's Drug location.

All staff should receive regular training not to resist an attempted robbery, and what to do to minimize the chance of violence. In all trainings it should be emphasized that the safety of the staff members and customers is of primary importance. Another immediate policy change will be staffing, There will need to be an effort made at all locations to have no less than two staff members on duty at all times during working hours. During non business hours and times where there is only one staff member present, all exterior doors must remain closed and locked.

Additional security items should added to the stores as well. Closed circuit cameras mounted in conspicuous location including all cash registers and the front door. These cameras are meant to be seen, and should be visible. Even if a store has domed cameras to deter and/or observe shoplifting , these visible cameras should be implemented. Installation of panic buttons near the cash registers, in the pharmacy, and managers office should occur as soon as possible. Drop safes should be installed in all location, while there is no company standard at this time, a deposit safe that only opens during specific hours is preferred.

The cash on hand at the register should be limited. The working amount to be left in the register is to be decided by the manager based on need and business patterns. Cash drops to the safe should be made regularly to ensure that there is never a large sum in the register. Lastly, anytime the safe is open, the office door is to be shut and locked. prior to opening the office door for any reason, the safes doors must be shut and locked.

5. Risk Response Five - Economic recession.

It will need to be determined what products and product lines types are selling and provide the best profit during the economic downturn. Using the information captured from our store sales, online sales, reward card program, and market /industry research, will attempt to locate any trend. Once a trend is discovered, We will enhance the lines that are selling well in the hopes of providing a profit margin. Other ways to increase the sales of these profitable items is to move them to primary positions on the shelves and on end caps.

The prices of comparable products sold by our competitor will need to be monitor. we will initiate a program of sale page review and on site observation to insure our prices are still competitive or superior to our competition. Also we can introduce other lines that may offer an low cost alternatives to items that our competitor has that we do not currently provide.

There should also be an increased emphasis on the development of our web based and mail order pharmacy (including the pet medicine sites). This is a profitable avenue that services the nation and can provide an additional revenue stream. Increased advertising with competitive merchandise should further increase over all profits given the national or potentially global customer base. Lastly, public relation campaigns should be launched portraying our chain as "Providing value for your hard earned money, because we care". Some examples of the campaigns and initiatives follow. Introduce programs to get low cost medication to the needy. Introduce programs to get low cost medication for the pets of people that cannot otherwise afford them. Find a way to offer free or low cost medical screenings in store. any event or promotion that gets people into the stores. The company should also be examining highly visible donations to charities that affect the well being of the community. All public relation projects will need to be approved by the marketing department to ensure they are in line with current marketing strategies and will yield the desired results.

6. Risk response Six - Power outage at store with expected duration of less than one hour. To mitigate the risk at least 5 battery back-up systems and flashlights should be in place at each store, possibly more dependent on sales volume. the back-up system should provide at least 100 minutes of service time, and power condition. Placement of the systems are as follows, one unit in the pharmacy to keep that area operational. A unit will be placed at the front end registers to keep a register operational as well as all accompany point of sales equipment. another unit will be placed in the pharmacy to keep the pharmaceutical refrigerator running to prevent medicine spoilage. a fourth unit will be in the office to keep the primary computers running, and lastly there will be a unit in the equipment closet to keep the backup server and networking equipment operational.

when a power failure occurs staff should retrieve the flashlights located near the battery backup systems, one of the staff should then lock the front door and place a sign apologizing for the store being temporarily closed business hours. Customers that are in the store should be asked politely to make their purchases and leave , the units on the battery backup systems will be able to allow the customers complete their transaction, once all customers have completed their transactions all the equipment can be shut down in accordance with end of day procedures.

7. Risk response Seven - Loss of customer prescription data due to localized IT failure

To mitigate this risk the primary store drive should be mirrored to a backup server in another part of the store. Both the backup server and the primary server should be on separate battery backup units. the reason that they should be separate units is to avoid a single point of failure. Also both servers should be subject to a regular maintenance regime to avoid common equipment failures whenever possible. An added bonus to this set up is that if the primary server fails, the backup can promoted to run the store until the required repairs can be made.

Given the low cost of high speed internet, the sever should also transmit changes to the corporate servers every hour and on demand. This will create an offsite backup the data to guard against loss due to an event that might destroy the both the primary and backup drives. As an added bonus customers will able to have their prescriptions filled at any location in the chain, and moving from one location to another is as simple as access the data and moving the users data to the new server. As an interesting security note the fact that prescription data can be queried in real-time there is virtually no chance for prescription abuse (double filling).

8. Risk Response Eight - Work related back injury (store level)

All staff members will receive training on how to properly lift materials, the safe use of material handling equipment (hand trucks and pallet jacks), and personal protective equipment. Posters on the proper way to lift should be posted in the break room and in the store room. At all store locations there shall be a selection of back support belts to be issued to staff members and to be worn while performing the stocking function. Also eye protection, work gloves, hand trucks, pallet jacks and or rolling work tables should be readily available to the staff members should they desire them. If an item is not easily carried, it should moved via hand truck or rolling cart. There should be no stigma attached to the choice to use a hand truck.

At the purchasing department level, effort should be made to ensure that products we purchase come in manageable packaging. Cartons or cases that are delivered to us should be designed to be easily carried, since this can be added contractual obligation, it suggested that all new contracts be review to see if this is viable. lastly, Since we pay a premium for insurance, we should ask the insurance company to come out and review our procedures and make suggestions as to what we could do better to prevent this risk. Having the insurance company become a partner in our employees well being may lead a reduced rate over time